Splunk Search

Splunk hangs browser doing simple search with ERROR StreamGroup log entry

working_dog
Explorer

Here is the log entry from splunkd.log:

12-23-2013 11:47:26.478 -0500 ERROR StreamGroup - Dumping contents of file="/idm/idmt_home/splunk/var/lib/splunk/os/db/hot_v1_228/splunk-autogen-params.dat" txnPerSync=97:
12-23-2013 11:47:26.478 -0500 ERROR StreamGroup - SPLUNK AUTO-GENERATED FILE. DO NOT MODIFY.|129554|1844773|1114686|32866|97|

I've restarted Splunk with no success. I am on version Splunk 6.0 (build 182037)

Any suggestions?

Thanks

Tags (1)

lmyrefelt
Builder

Another thing that might be pointer to check out, is if you have any events, not parsed correctly in this data.

I would check the klpitest index (in this case) for events with a linecount bigger than 1 (or what ever you expect from your events), and check if i have (a few) events with another timestamp or format in the data. (since this looks like an custom input, custom sourcetype(?) )

At least i found some events that had not been parsed correctly in those indexes reported by this "Stream group" error.

I did not however find any other errors or warnings regarding, parsing errors or what not in splunkd.log, for those who are wondering ...

0 Karma

wrangler2x
Motivator

I was seeing exactly the error as described by @khyoung, except the name of the hot bucket was different in my case (hot_v1_518 instead of hot_v1_1). I am on splunk 5.0.2 with "Splunk App for unix and linux" version 5.01. (I mention this because the OS db is used by this app). It did not hanging my browser, but I happened to be running a tail -f in the background piping to a grep for ERROR and this started showing up after I had stopped splunk, manually re-installed the app, and restarted splunk. (I had to manually re-install the app because someone here accidentally rm'd something in there.)

So, I went searching for this error and found your splunk question and comments, and as no one had any answers -- and I had already tried stopping and starting splunk, I decided to try this (WARNING -- stop splunk first!)

splunk fsck --repair --index os --all

an guess what? After I restarted splunk I did not see this error anymore. See if it works for you.

0 Karma

sideview
SplunkTrust
SplunkTrust

Is it possible that there's a single line event written into the logs that is extraordinarily long? I recently found that single line events with tens of thousands or hundreds of thousands of characters can hang the browser.

0 Karma

bensbrowning
Explorer

I'm getting this too, and I can't seem to figure it out. Have you guys had any luck yet?

0 Karma

khyoung7410
Communicator

Me too....
I am on version Splunk 6.0.1 and using *NIX

01-13-2014 16:08:34.380 +0900 ERROR StreamGroup - SPLUNK AUTO-GENERATED FILE. DO NOT MODIFY.|134044|1554700|1117670|32830|61|
01-13-2014 16:08:34.380 +0900 ERROR StreamGroup - <<<EOF file="/opt/sp_test/splunk/var/lib/splunk/os/db/hot_v1_1/splunk-autogen-params.dat"
01-13-2014 16:09:04.379 +0900 ERROR StreamGroup - Dumping contents of file="/opt/sp_test/splunk/var/lib/splunk/os/db/hot_v1_1/splunk-autogen-params.dat" txnPerSync=61:

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...